An email spambot just accidentally leaked its own mailing lists, revealing over 700 million email addresses along with many passwords. The leak is being called one of the largest of all time, and it was discovered thanks to a poorly configured web server which was hosting the files in a way that allowed it to be accessed by just about anyone.
The email spam list, which includes some 711 million email accounts, is a messy mix of what appears to be new addresses and ones scraped from other leaks, including the infamous LinkedIn breach. Troy Hunt, the security researcher who maintains the website Have I Been Pwned? reports that the leak is the largest single data dump he’s come across.
Not all of the email accounts in the massive list have login credentials associated with them, and the individual who initially discovered the misconfigured spambot’s data — a security researcher who goes by Benkow — believes that the passwords were (or still are) being used to forward spam from legitimate accounts. Hunt notes that it’s also possible that the passwords in the list are there because the mailing list was copied over from other prior leaks, many of which included credentials.
The list itself is a messy mix of addresses which includes many duplicates, as well as countless emails with prefixes that would render them unusable. It’s hard to tell at this point exactly how many legitimate email addresses are even on the list, but the sheer volume of data is enough to warrant plenty of concern.
“It took [Have I Been Pwned?] 110 data breaches over a period of 2 and a half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location,” Hunt writes. “It’s a mind-boggling amount of data.”
The entire spambot data archive has been uploaded to Have I Been Pwned? and is now fully searchable by email address. If you’re worried that your information was included in the dump, simply type in your email address and the site will let you know one way or the other. As always, if your email address has indeed been leaked, it’s always a good idea to refresh your password with something new to help avoid unwanted access.